What is OAuth 2.0?

1. Definition

A JWT is a compact, URL-safe, JSON-based token format used to securely transmit information between parties.
It is digitally signed (using HMAC or public/private key cryptography) so the receiver can verify that the data hasn’t been altered.

2. Structure

A JWT has three parts, separated by dots (.):

header.payload.signature

Header – Metadata about the token (e.g., algorithm & type).

{ "alg": "HS256", "typ": "JWT" }

Payload – Claims (statements) about the user or token (e.g., user ID, role, expiration).

{ "sub": "123456", "name": "John Doe", "admin": true, "exp": 1735689600 }

Signature – Cryptographic signature of header + payload, ensuring integrity.

3. Problem it Solves

• Traditional session-based authentication requires storing session data on the server, which is hard to scale horizontally.
• Sending raw user credentials for every request is insecure.
• APIs need a stateless way to authenticate and authorize requests.

4. Solution

• JWT is self-contained: all necessary info (user ID, roles, expiry) is inside the token.
• The server doesn’t store session state — it just validates the signature and claims.
• Tokens can be easily passed via:
  • HTTP headers (Authorization: Bearer <token>)
  • Query params
  • Cookies

5. Common Uses

• Authentication – After login, the server issues a JWT, and the client includes it in every request to prove identity.
• Authorization – APIs check claims (roles, scopes) in the token before granting access.
• Information Exchange – Securely pass signed data between services.

6. Security Notes

• Always use HTTPS — JWT contents are base64-encoded, not encrypted.
• Include exp (expiration) to limit token lifetime.
• Store sensitive data server-side or use encrypted tokens (JWE).
• Revoke compromised tokens via short expiry + refresh tokens.